Regression: Tab crash is observed on ‘www.softlayer.com’
Reported by
dmascare...@etouch.net,
Apr 27 2016
|
|||||||||||||||||
Issue descriptionChrome Version: 51.0.2704.29 Revision d7a063c1fedf1f6ccb6eb9f50a9028bd742652d7-refs/branch-heads/2704@{#260}(32/64 bit) OS: Windows (7, 8, 10), Mac (10.10.5)(10.11.4),Linux (ubuntu 14.04 LTS) What steps will reproduce the problem? 1. Launch chrome and navigate to http://www.softlayer.com/virtual-servers 2. Drag any slider present under ‘Build the virtual server you need’ and observe Actual: Tab crash is observed. Expected: Tab crash should not be seen Crash id: Crash ID 8b9bbce200000000 (35c3e836-8719-4c3f-84b5-41144088ae53) This is regression issue,broken in ‘M 52’ and will soon update info: Good build:52.0.2705.0 Bad build:52.0.2707.0
,
Apr 27 2016
Correction: Chrome Version:52.0.2718.0 (Official Build) fd0a0f9879fc02e65d477f57f8f929fa4d7f0b75-refs/heads/master@{#389938} 32/64 bit
,
Apr 27 2016
Providing the Stack Trace for the Crash ID -- 8b9bbce200000000 Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x0000003a00000000 ] MAGIC SIGNATURE THREAD 0x0000003a00000000 0x00000039fdb08bd4 0x00000039fdf37406 0x00000039fe1938f5 0x00000039fdb08bd4 0x00000039fe192549 0x00000039fdb08bd4 0x00000039fe191f1e 0x00000039fdb08bd4 0x00000039fe1679dc 0x00000039fdb08bd4 0x00000039fdb42e02 0x00000039fdb148ee 0x0000000105f9e57f (Google Chrome Framework -execution.cc:97 ) v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) 0x0000000105f9e3b5 (Google Chrome Framework -execution.cc:153 ) v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) 0x0000000105cc7442 (Google Chrome Framework -api.cc:4533 ) v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 0x000000010711672c (Google Chrome Framework -V8ScriptRunner.cpp:456 ) blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) 0x0000000107107ab8 (Google Chrome Framework -V8EventListener.cpp:94 ) blink::V8EventListener::callListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) 0x00000001071007f7 (Google Chrome Framework -V8AbstractEventListener.cpp:130 ) blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) 0x00000001071006d3 (Google Chrome Framework -V8AbstractEventListener.cpp:95 ) blink::V8AbstractEventListener::handleEvent(blink::ScriptState*, blink::Event*) 0x00000001071005f7 (Google Chrome Framework -V8AbstractEventListener.cpp:84 ) blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) 0x000000010695f19b (Google Chrome Framework -EventTarget.cpp:451 ) blink::EventTarget::fireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) 0x000000010695eb61 (Google Chrome Framework -EventTarget.cpp:377 ) blink::EventTarget::fireEventListeners(blink::Event*) 0x0000000106956f69 (Google Chrome Framework -EventDispatcher.cpp:186 ) blink::EventDispatcher::dispatch() 0x000000010696378a (Google Chrome Framework -MouseEvent.cpp:292 ) blink::MouseEventDispatchMediator::dispatchEvent(blink::EventDispatcher&) const 0x0000000106956849 (Google Chrome Framework -EventDispatcher.cpp:49 ) blink::EventDispatcher::dispatchEvent(blink::Node&, blink::EventDispatchMediator*) 0x000000010698080f (Google Chrome Framework -PointerEventManager.cpp:57 ) blink::PointerEventManager::sendMousePointerEvent(blink::Node*, WTF::AtomicString const&, int, blink::PlatformMouseEvent const&, blink::Node*, blink::DOMWindow*, blink::Node*) 0x0000000106970529 (Google Chrome Framework -EventHandler.cpp:1845 ) blink::EventHandler::handleMousePressEvent(blink::PlatformMouseEvent const&) 0x0000000106395cc2 (Google Chrome Framework -PageWidgetDelegate.cpp:202 ) blink::PageWidgetEventHandler::handleMouseDown(blink::LocalFrame&, blink::WebMouseEvent const&) 0x00000001063e6af5 (Google Chrome Framework -WebViewImpl.cpp:554 ) blink::WebViewImpl::handleMouseDown(blink::LocalFrame&, blink::WebMouseEvent const&) 0x0000000106395aa9 (Google Chrome Framework -PageWidgetDelegate.cpp:133 ) blink::PageWidgetDelegate::handleInputEvent(blink::PageWidgetEventHandler&, blink::WebInputEvent const&, blink::LocalFrame*) 0x00000001063e9216 (Google Chrome Framework -WebViewImpl.cpp:2212 ) blink::WebViewImpl::handleInputEvent(blink::WebInputEvent const&) 0x000000010891e83a (Google Chrome Framework -render_widget_input_handler.cc:321 ) content::RenderWidgetInputHandler::HandleInputEvent(blink::WebInputEvent const&, ui::LatencyInfo const&, content::InputEventDispatchType) 0x000000010899823b (Google Chrome Framework -tuple.h:166 ) bool IPC::MessageT<InputMsg_HandleInputEvent_Meta, std::__1::tuple<blink::WebInputEvent const*, ui::LatencyInfo, content::InputEventDispatchType>, void>::Dispatch<content::RenderWidget, content::RenderWidget, void, void (content::RenderWidget::*)(blink::WebInputEvent const*, ui::LatencyInfo const&, content::InputEventDispatchType)>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void*, void (content::RenderWidget::*)(blink::WebInputEvent const*, ui::LatencyInfo const&, content::InputEventDispatchType)) 0x000000010899787b (Google Chrome Framework -render_widget.cc:482 ) content::RenderWidget::OnMessageReceived(IPC::Message const&) 0x0000000108984e80 (Google Chrome Framework -render_view_impl.cc:1361 ) content::RenderViewImpl::OnMessageReceived(IPC::Message const&) 0x00000001051c565f (Google Chrome Framework -message_router.cc:52 ) IPC::MessageRouter::RouteMessage(IPC::Message const&) 0x00000001051c55db (Google Chrome Framework -message_router.cc:44 ) IPC::MessageRouter::OnMessageReceived(IPC::Message const&) 0x0000000107e060c5 (Google Chrome Framework -child_thread_impl.cc:649 ) content::ChildThreadImpl::OnMessageReceived(IPC::Message const&) 0x0000000108980072 (Google Chrome Framework -bind_internal.h:211 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (base::CancelableCallback<void (IPC::Message const&)>::*)(IPC::Message cons constt&)>, void (base::CancelableCallback<void (IPC::Message const&)> const*, IPC::Message const&), base::WeakPtr<base::CancelableCallback<void (IPC::Message const&)> > >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (base::CancelableCallback<void (IPC::Message const&)>::*)(IPC::Message cons constt&)> >, void (IPC::Message const&)>::Run(base::internal::BindStateBase*, IPC::Message const&) 0x0000000108918f78 (Google Chrome Framework -callback.h:397 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::Callback<void (IPC::Message const&), (base::internal::CopyMode)1>, void (IPC::Message const&), IPC::Message&>, base::internal::InvokeHelper<false, void, base::Callback<void (IPC::Message const&), (base::internal::CopyMode)1> >, void ()>::Run(base::internal::BindStateBase*) 0x00000001046bedaa (Google Chrome Framework -callback.h:397 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x0000000107e63e89 (Google Chrome Framework -task_queue_manager.cc:289 ) scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) 0x0000000107e62d78 (Google Chrome Framework -task_queue_manager.cc:201 ) scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) 0x0000000107e650f2 (Google Chrome Framework -bind_internal.h:181 ) base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks&, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) 0x00000001046bedaa (Google Chrome Framework -callback.h:397 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x00000001046e0af2 (Google Chrome Framework -message_loop.cc:479 ) base::MessageLoop::RunTask(base::PendingTask const&) 0x00000001046e0e0b (Google Chrome Framework -message_loop.cc:488 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) 0x00000001046e127a (Google Chrome Framework -message_loop.cc:638 ) base::MessageLoop::DoDelayedWork(base::TimeTicks*) 0x00000001046b4078 (Google Chrome Framework -message_pump_mac.mm:334 ) base::MessagePumpCFRunLoopBase::RunWork() 0x00000001046d6f09 (Google Chrome Framework + 0x0058cf09 ) base::mac::CallWithEHFrame(void () block_pointer) 0x00000001046b3a63 (Google Chrome Framework -message_pump_mac.mm:306 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff8fbc9a00 (CoreFoundation + 0x00080a00 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff8fbbbb8c (CoreFoundation + 0x00072b8c ) __CFRunLoopDoSources0 0x00007fff8fbbb1be (CoreFoundation + 0x000721be ) __CFRunLoopRun 0x00007fff8fbbabd7 (CoreFoundation + 0x00071bd7 ) CFRunLoopRunSpecific 0x00007fff8f186b28 (Foundation + 0x00090b28 ) -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 0x00000001046b46dd (Google Chrome Framework -message_pump_mac.mm:608 ) base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) 0x00000001046b3eb3 (Google Chrome Framework -message_pump_mac.mm:238 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x00000001046f7dc2 (Google Chrome Framework -run_loop.cc:35 ) base::RunLoop::Run() 0x00000001046e027c (Google Chrome Framework -message_loop.cc:295 ) base::MessageLoop::Run() 0x00000001089a5d13 (Google Chrome Framework -renderer_main.cc:219 ) content::RendererMain(content::MainFunctionParams const&) 0x0000000104675c13 (Google Chrome Framework -content_main_runner.cc:742 ) content::ContentMainRunnerImpl::Run() 0x0000000104675015 (Google Chrome Framework -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const&) 0x000000010414c879 (Google Chrome Framework -chrome_main.cc:84 ) ChromeMain 0x00000001040e3d51 (Google Chrome Helper -chrome_exe_main_mac.c:87 ) main 0x00000001040e3b33 (Google Chrome Helper + 0x00000b33 ) start Adding RB label as this is a recent Regression. Please remove if not required. Also adding v8 sherrifs in Cc. Thank You.
,
Apr 27 2016
Still reproduces with ToT. However I have to move all three sliders; the order doesn't matter, it's always the third slider I move that causes the issue.
In Release mode, we crash somewhere in generated code by taking an invalid jump:
(gdb) p/x $rip
$1 = 0x1a2e00000000
In Debug mode, we get stuck for 17+ minutes in Turbofan graph verification:
(gdb) bt
#0 0x00007fad09e5a078 in v8::internal::compiler::Node::Uses::const_iterator::operator* (this=0x7ffe3f4b06f8) at ../../v8/src/compiler/node.h:529
#1 0x00007fad0a096709 in std::__find<v8::internal::compiler::Node::Uses::const_iterator, v8::internal::compiler::Node*> (__first=..., __last=...,
__val=@0x7ffe3f4b0980: 0x377951eb15c0)
at /usr/local/google/home/jkummerow/chrome/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_algo.h:135
#2 0x00007fad0a0965cf in std::find<v8::internal::compiler::Node::Uses::const_iterator, v8::internal::compiler::Node*> (__first=..., __last=...,
__val=@0x7ffe3f4b0980: 0x377951eb15c0)
at /usr/local/google/home/jkummerow/chrome/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_algo.h:4403
#3 0x00007fad0a092dec in v8::internal::compiler::IsDefUseChainLinkPresent (def=0x377951f53228, use=0x377951eb15c0) at ../../v8/src/compiler/verifier.cc:33
#4 0x00007fad0a08ff52 in v8::internal::compiler::Verifier::Visitor::Check (this=0x7ffe3f4b11a8, node=0x377951eb15c0)
at ../../v8/src/compiler/verifier.cc:153
#5 0x00007fad0a0937d7 in v8::internal::compiler::Verifier::Run (graph=0x377953e4d030, typing=v8::internal::compiler::Verifier::UNTYPED,
check_inputs=v8::internal::compiler::Verifier::kAll) at ../../v8/src/compiler/verifier.cc:1046
#6 0x00007fad09fe9234 in v8::internal::compiler::VerifyGraphPhase::Run (this=0x7ffe3f4b12f0, data=0x7ffe3f4b1588, temp_zone=0x3779537c0e90, untyped=true,
values_only=false) at ../../v8/src/compiler/pipeline.cc:1131
#7 0x00007fad09fdf4ba in v8::internal::compiler::Pipeline::Run<v8::internal::compiler::VerifyGraphPhase, bool> (this=0x7ffe3f4b1ce8, arg_0=true)
at ../../v8/src/compiler/pipeline.cc:532
#8 0x00007fad09fdf3cd in v8::internal::compiler::Pipeline::RunPrintAndVerify (this=0x7ffe3f4b1ce8, phase=0x7fad0a90eb43 <.L.str.11> "Initial untyped",
untyped=true) at ../../v8/src/compiler/pipeline.cc:1149
#9 0x00007fad09fdfb01 in v8::internal::compiler::Pipeline::GenerateCode (this=0x7ffe3f4b1ce8) at ../../v8/src/compiler/pipeline.cc:1211
#10 0x00007fad09fe7f9a in v8::internal::compiler::(anonymous namespace)::PipelineCompilationJob::CreateGraphImpl (this=0x377951bb7030)
at ../../v8/src/compiler/pipeline.cc:493
#11 0x00007fad0a0b707f in v8::internal::OptimizedCompileJob::CreateGraph (this=0x377951bb7030) at ../../v8/src/compiler.cc:327
#12 0x00007fad0a0c2736 in v8::internal::(anonymous namespace)::GetOptimizedCodeLater (info=0x37795381caa0) at ../../v8/src/compiler.cc:780
#13 0x00007fad0a0bad78 in v8::internal::(anonymous namespace)::GetOptimizedCode (function=..., mode=v8::internal::Compiler::CONCURRENT, osr_ast_id=...,
osr_frame=0x0) at ../../v8/src/compiler.cc:853
#14 0x00007fad0a0ba60e in v8::internal::Compiler::CompileOptimized (function=..., mode=v8::internal::Compiler::CONCURRENT) at ../../v8/src/compiler.cc:1228
#15 0x00007fad0a5d9fd2 in v8::internal::__RT_impl_Runtime_CompileOptimized_Concurrent (args=..., isolate=0x377951392020)
at ../../v8/src/runtime/runtime-compiler.cc:61
#16 0x00007fad0a5d9ce7 in v8::internal::Runtime_CompileOptimized_Concurrent (args_length=1, args_object=0x7ffe3f4b24e8, isolate=0x377951392020)
at ../../v8/src/runtime/runtime-compiler.cc:55
--js-flags="--turbo-filter=~" avoids the crash.
,
Apr 28 2016
This regressed when we shipped try-catch with TurboFan. The function in question is utag.loader.loadrules. I'll try to figure out what's going on exactly.
,
Apr 28 2016
Crashes when trying to call the deoptimizer. The trampoline where it tries to jump to is not there (that's where we crash).
,
Apr 28 2016
Minimized test case (run with d8 --turbo --allow-natives-syntax)
var s = "function f(x, o) {\n switch (x) {\n ";
for (var i = 0; i < 16500; i++) {
s += " case " + i + ": return o.a; \n"
}
s += " }\n}"
eval(s);
%OptimizeFunctionOnNextCall(f);
f(1, { a : 6});
,
Apr 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1 commit 5247b2679c3dc6cdf3ceba59c563e7c35a8428b1 Author: jarin <jarin@chromium.org> Date: Thu Apr 28 11:12:10 2016 [turbofan] Abort compilation when the max deoptimization table size is exceeded. BUG= chromium:607115 LOG=n Review-Url: https://codereview.chromium.org/1928903002 Cr-Commit-Position: refs/heads/master@{#35855} [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/arm/code-generator-arm.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/arm64/code-generator-arm64.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/code-generator.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/code-generator.h [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/ia32/code-generator-ia32.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/mips/code-generator-mips.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/mips64/code-generator-mips64.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/ppc/code-generator-ppc.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/s390/code-generator-s390.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/x64/code-generator-x64.cc [modify] https://crrev.com/5247b2679c3dc6cdf3ceba59c563e7c35a8428b1/src/compiler/x87/code-generator-x87.cc
,
May 3 2016
Unable to repro this issue on Windows 7 & MAC (10.11.4) for Google Chrome Dev Version - 52.0.2723.0 & Google Chrome Canary Version - 52.0.2723.0 Screen-recording is attached. @dmascarenhas: Could you also confirm once and remove the RB-Stable label if it is not reproduced. Thank you.
,
May 4 2016
With response to comment #9 Above issue seems to be fix on Windows 7 & MAC (10.11.4)(10.10.5) for Latest Chrome Version:52.0.2724.0 (Official Build) 76d17b826d6473ef7a4bb731aa8b8dc05aaa5ab6-refs/heads/master@{#391399}
,
May 9 2016
,
Jul 12 2016
,
Sep 28 2016
[Auto-generated comment by a script] We noticed that this issue is targeted for M-52; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-52 label, otherwise remove Merge-TBD label. Thanks.
,
Sep 28 2016
[Bulk edit] Our blockerbot script was offline; it was recently brought back online, and thus labeled many old issues (including this one) erroneously. Removing Merge-TBD label since all milestones for this issue are already completed; no further work should be done. |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by dmascare...@etouch.net
, Apr 27 2016Owner: rob.b...@samsung.com
Status: Assigned (was: Unconfirmed)